Matt Peachey VP & GM EMEA Pindrop
Recent research by the Financial Fraud Action UK (FFA UK) found that five million frauds occur every year across England and Wales, costing the UK around £24bn. What is interesting is that the extent of phone fraud has increased by 92% in just 12 months. While these figures are high, this is only part of the picture. Fraud, particularly on the phone channel is much higher, and growing fast. The reason for this is that this channel has traditionally been overlooked in terms of protection.
Most businesses have been focusing on improving their cyber defences as attacks on this channel grow more sophisticated. The frequency to which these attacks hit the headlines understandably causes businesses to rethink their defence strategy. What is becoming more commonplace however is that many have overlooked their most vulnerable line of defence – the phone. Phone security to date has lacked the innovation, education and the sophistication needed to protect customers. As such fraudsters are taking advantage of this as they use cross channel tactics to commit these fraudulent crimes. Without the right authentication and fraud detection in place, organisations will continue to get duped, particularly as the boundaries between phone and online continue to blur.
Phone fraud is a growing problem for financial institutions due to its ease, low risk and low cost. It comes in many forms with attacks in the call centre, in automated account management systems, and outbound verification systems, costing organisations in terms of losses, time and expense and incident response.
For a fraudster, these paths present several advantages. Fraudsters are typically professional social engineers and experts at manipulating people. When speaking to a call centre representative, whose objective is to rightfully prioritise being helpful, a fraudster knows that identifying and handling suspicious calls is not a core competency for that representative.
Once on the phone, the fraudster may attempt a direct attack, stealing funds via a wire transfer. They may request a rush or replacement card and then max out the card with purchases. If they don’t have all the credentials or access they need, they may opt to take more innocuous steps in order to set up a future attack. A change to the address, phone number or email allows them to transfer the point of contact to an asset they “own”. They can claim to be a customer who will be traveling overseas resulting in lower fraud alerting levels at the bank.
Currently, the only clear defence against these fraudsters is the asking of a few personal questions (known as knowledge-based authentication or KBA). If a fraudster can provide that information, the ability to move funds is practically unrestricted.
Fraudsters can also steal from customers without talking to a representative. Automated systems or IVR (interactive voice response) systems allow access to a wide range of account activities that a fraudster can use to make substantial inroads to taking over an account.
As with a live rep, getting an account address, email or phone number changed can allow a fraudster to order a replacement credit or debit card and then clean funds out of an account. They only need access to the account for a few hours prior to detection to be successful.
As well as costing financial institutions in terms of losses, call centre time and expense and incident response, it also erodes trust with customers.
A variety of technologies have been developed to address this problem. Analysing the caller’s voice, also known as voice biometrics, focuses on authenticating callers to positively identify bank customers. Many UK institutions are moving towards this form of authentication and while it is a useful way to verify customers, it cannot detect fraud.
Fraudsters have many techniques which help them bypass this layer of security. Distortive or synthesised noises can alter the sound of a voice, making it hard to verify and accurately define the user as fraudulent. To better combat fraud, organisations need to be able to identify new attackers before they can do damage. Identifying attackers in all parts of the phone infrastructure, from live calls to recorded calls, automated answering systems and outbound calling systems, is also necessary as is a solution that uses either a phone number or call audio to identify and quantify fraud risk.
Phoneprinting™ technology is becoming a popular way to detect fraud and authenticate customers as it identifies specific components about each call such as the location a call is coming from, the device, whether it’s a mobile or landline and whether the phone has been used to call the company before. Combined this can aid in detecting fraudulent activity before it becomes an issue.